Crooks steal security firm’s crypto key, use it to sign malware

Bit9 compromise allowed malware to penetrate customers' defenses.

Hackers broke into the network of security firm Bit9 and used one of its cryptographic certificates to infect at least three of its customers with digitally signed malware, the company said on Friday afternoon.

The compromise is striking because Bit9's "application whitelisting" approach allows virtually all digitally signed software to run on customers' networks and PCs. Stealing one of its credentials and using it to sign malware all but guarantees it will get a free pass on the systems of customers who use the service. Bit9 is contracted to help secure the networks of the US government and a variety of Fortune 500 companies. The breach was first reported by KrebsonSecurity reporter Brian Krebs.

"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," CEO Patrick Morley wrote in a blog post. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."

An investigation into the breach has revealed three customers were affected by the fraudulently signed malware. The stolen certificate has since been revoked so it can't be used to compromise other Bit9 customers. There's no indication that the company's whitelisting products themselves have been compromised, Morley said.

While Morley attributed the compromise to an oversight in installing its product on a small number of PCs, the true cause is much broader. Signing certificates are supposed to be kept in so-called hardware security modules, which are special computers that contain their own cryptography-dedicated processor and a special storage system. These devices are generally segregated from the rest of a company's network to prevent the signing keys they store from being abused in the event of a breach. In November, Ars provided this detailed look at the lengths Symantec goes to secure its valuable signing keys for SSL encryption.

Morley's blog post provided no details about how Bit9's sensitive credentials were stored and whether those measures have been tightened following the breach. He also didn't say whether the Bit9 PCs that were infected were running antivirus software and whether the network was outfitted with other types of security protection, such as intrusion prevention systems. His explanation also smacks of PR shenanigans because it suggests Bit9's only mistake was failing to ensure its product was installed on all its computers. Bit9 marketers have long lauded their product as a superior security offering over antivirus protection.

It's not the first time crooks have abused the imprimatur of a widely trusted digital credential to validate malware. In September, Adobe Systems revoked one of its code signing certificates after hackers compromised a build server used to compile and package the company's applications. Victims who encountered the malware signed by the key received a cryptographically validated assurance that the software was a legitimate offering from Adobe, significantly increasing the chances that they'd be tricked into installing it.

Remember RSA hack?

The Bit9 compromise also has parallels to the 2011 breach of EMC security division RSA. There's no evidence that hackers in that attack considered RSA the primary target. Rather, they used the intrusion to steal proprietary data related to RSA SecurID tokens that millions of people use to log in to government and corporate networks. In the weeks following the attack, defense contractor Lockheed Martin said a breach of its network was aided by the theft of confidential RSA data.

In a similar vein, it seems likely that attackers targeted Bit9 to infect its customers' networks. The incident is an important reminder that there are significant limitations to the type of security service Bit9 provides.

"Whitelisting does not tell if software is benign, malicious, or even exploitable," said Randy Abrams, Research Director of NSS Labs, a firm that tests security products and writes analysis of security. "It tells you that the application was approved."

Story updated to change language describing NSS Labs in the last paragraph.

They didn't airgap a signing machine? They weren't at least using a hardware solution that required a human be in the loop? Jeez, overall standards still have a ways to go.

Given that you can use Software Restriction Policies to whitelist by cryptographic signature(or executable hash) and default-deny without any 3rd-party add-ons, I have to wonder what exactly their value-add really is if it's such amateur hour around their signing keys...

If I wanted to skip the HSM and generally do a shoddy job, I could do that myself without much trouble.

A trip to their site tells me that they better get serious, they claim to be in the top 5 on everything... maybe they missed the "Number one in internal security pratices" . I wonder if they're undermanned and overworked.

Doubtful, this is a recoverable compromise. The organizations who were the true target know full well that their opponents are bringing their A-game.

I've seen some confusion on the twitters about this code signing business - they are not a CA - only their own identity is compromised and it has been revoked and reissued. Hence the malware will no longer check out on systems which have access to the internet to check revocation servers.

Doubtful, this is a recoverable compromise. The organizations who were the true target know full well that their opponents are bringing their A-game.

I've seen some confusion on the twitters about this code signing business - they are not a CA - only their own identity is compromised and it has been revoked and reissued. Hence the malware will no longer check out on systems which have access to the internet to check revocation servers.

Unless the malware gets in between. Then it can rewrite CRLs and OCSP responses as needed, can't it?

There seems to be some confusion (in the comments, and even in the company's statement) about how certificates work.

Certificates are not secret. They are public by their nature. The term "stolen" doesn't really apply. It's obviously the private key that was stolen in this case. (Edit: Stolen, or otherwise compromised. The "temporary access" bit in the statement suggests attackers gained access to a signing engine, but not the key itself.)

I think people conflate the two because of how the PKI systems (including SSL/TLS) are managed. You need to get a certificate for browsers to recognize your web site, so people assume that that is the important bit, and that it must also be the secret key. Not so. Adding to the confusion is that many CAs will offer to generate a private key for you (which is a bad idea from a cryptographic standpoint, because there is no legitimate reason for the CA to ever need access to your private key).

Look, even if they just had a teeny little "Whooops!" moment on that one computer in the in the custodian's closet office (the one everybody uses for downloading pron ordering supplies online) these guys are still tops. You know it's true because they're using full 9 bit encryption; none of this half-assed 8 bit stuff. We're talking a full Nein Bits encryption baby.

Look, even if they just had a teeny little "Whooops!" moment on that one computer in the in the custodian's closet office (the one everybody uses for downloading pron ordering supplies online) these guys are still tops. You know it's true because they're using full 9 bit encryption; none of this half-assed 8 bit stuff. We're talking a full Nein Bits encryption baby.

The extra bit is chocolate.

---

My brother works for Bit9, albeit in their sales department. He bought into the Kool-Aid of their products being awesome/totally unique/indestructible. After seeing the weaknesses of whitelist security up close, I can only wonder what his confidence is now.

Doubtful, this is a recoverable compromise. The organizations who were the true target know full well that their opponents are bringing their A-game.

I've seen some confusion on the twitters about this code signing business - they are not a CA - only their own identity is compromised and it has been revoked and reissued. Hence the malware will no longer check out on systems which have access to the internet to check revocation servers.

Unless the malware gets in between. Then it can rewrite CRLs and OCSP responses as needed, can't it?

Or if its already EoP to root/system (please don't tell be they were logging in as Admin) then it can just disable updates altogether...

KevinM1 wrote:

My brother works for Bit9, albeit in their sales department. He bought into the Kool-Aid of their products being awesome/totally unique/indestructible. After seeing the weaknesses of whitelist security up close, I can only wonder what his confidence is now.

Nothing wrong with whitelist approaches as long as you don't store your signing key on your pron market research machine...

I can't help wondering if a competitor is behind this. Could this be industrial espionage?

Doubtful....

In the past it was worth to spy on your competitor but the EU and USA agencies would fine the competitor into bankruptcy. Besides it doesn't appear they got any of Bit9's trade secrets which they also would have to disclose.